Search results

  1. R

    Post [Jailbreak]Take Note Verizon - Root/Jailbreak/Recovery

    This unlock was basically identical to the second Galaxy Note 2 unlock except I had to add a few more tweaks because we're shoving a modified N8010 bootloader onto the i925.
  2. R

    Post [Jailbreak][Root][Recovery] Back Atcha Verizon-- update 17MAR13:Windows/Linux

    Ironically I probably wouldn't have noticed the hole used this time had they not added the blacklisting of the old versions. Looking at the code for that gave me a push in the right direction
  3. R

    Post How to Unlock Your Bootloader - Firmware Version VRALJB

    Reserved for technical details
  4. R

    Post Qpst - mprg8960.hex [found!]

    There's definitely code in the 8960 PBL for the programmer. The reason it's probably not included with QPST is because the programmer is signed and signature-checked in the same way as SBL1, which means there's a programmer for each OEM and probably a different one for each phone model by the...
  5. R

    Post 32 Gb PIT file

    Slight correction, the GPT can be dumped with dd if=/dev/block/mmcblk0 of=/sdcard/gpt.bin bs=8 count=2176 It's 0x200 bytes for the protective MBR, 0x200 for the GPT header, and 128 x 128 byte GPT partition headers = 0x4400 bytes for the full GPT block. I already removed the bootchain from my...
  6. R

    Post [R&D] Unlock Bootloaders

    0x8834 is part of the PBL code (The PBL ranges from 0x0 to 0x18000). It's part of the function that checks if secure boot is enabled, seen below (Is it ok to post this? not sure) ROM:00008824 is_secure_boot_enabled ; CODE XREF: pbl_dload_auth_flash_prog+48p ROM:00008824...
  7. R

    Post [R&D] Unlock Bootloaders

    For our phone it would need to be 0x8834. That's the end of the function that checks if the secure boot bit is enabled, so by setting r0 to 0 you just force it to return false. The specific value that determines whether secboot is on is at 0x706038 in memory, 5th bit (0x20). If set, secboot is...
  8. R

    Post [R&D] Unlock Bootloaders

    I'll take a look but I think I did manage to get everything. It copies a lot of itself in the 0x12000 range up to 0x20000. It ends up looking like slide 21 in the 8960 boot architecture pdf
  9. R

    Post [R&D] Unlock Bootloaders

    Hadn't seen that before, but yeah it appears to have gotten at least part of it. I can't say whether it's the full thing because there are some references in the 0x20000 range but the rpm firmware is loaded there after the pbl is through which could mean the original data was overwritten. I'll...
  10. R

    Post [R&D] Unlock Bootloaders

    I guess it might be helpful to explain why we can't just flash other devices' bootloaders. Every bootloader image has 3 sections: code, signature, and a certificate chain. These are normal DER/ASN.1 certs (up to 3), nothing all that special except the first certificate has some extra...
  11. R

    Post [R&D] Unlock Bootloaders

    It looks like ours deviates slightly from this. If the headers are to be believed, TZ is loaded at 0x2A000000 SBL3 is loaded at 0x8FF00000 APPSBL/aboot is loaded at 0x88E00000
  12. R

    Post [R&D] Unlock Bootloaders

    That's part of a function that looks up the next image in the bootchain to load. void __fastcall boot_config_load_entry(boot_config *config_ctx, load_config *load_cfg) { int (__fastcall *v4)(boot_config *); // [email protected] int v5; // [email protected] int v6; // [email protected] char *v7; // [email protected] boot_flash_dev_if...
  13. R

    Post [R&D] Unlock Bootloaders

    I think I'm about 2 weeks late with this, but like Adam I've also been dealing with the hassles moving. Here's some info that will get you started looking at the bootloader files in IDA Each of the bootloader files (sbl1, sbl2, sbl3, tz, rpm, aboot) have a 40 byte header that has info we'll...
  14. R

    Post [R&D] Unlock Bootloaders

    That's not an offset into the mmc, but rather part of the MSM_SHARED_IMEM_BASE region of memory. To write to it aboot does *(int*)0x2A03F65C = restart_reason, but depending on the current environment you may need to do more work to write there. Check arch_reset() in arch/arm/mach-msm/restart.c...
  15. R

    Post [R&D] Unlock Bootloaders

    The aboot in the SGS3 is heavily based on lk, but also modified in certain areas. One of the places they changed was fastboot, where they replaced it with 2 other boot modes instead (odin and rdx). The normal fastboot stuff is mostly gone. Setting the restart reason (at 0x2A03F65C) to...
  16. R

    Post [R&D] Unlock Bootloaders

    That's from aboot_init, decompiled version available http://pastie.org/4339731
  17. R

    Post [R&D] Unlock Bootloaders

    It's been a few days so I wanted to give an update on the signature check on boot.img As has been previously guessed, everything important in boot.img is included in the signature check page_size is always 0x800 since we're using emmc boot hash_size = 0x800 (read the first page with the...
  18. R

    Post [R&D] Unlock Bootloaders

    All I can see that putting it into factory mode does is allow the odin command handler to reset the ddi info (flash counter, binary type, etc). Normally odin is still blocked from doing that. EDIT: More specifically, if factory mode is on it automatically clears the ddi info when the odin...
  19. R

    Post [R&D] Unlock Bootloaders

    The time theory was more a guess based on how they calculate another parameter, called the "cordon", which also uses the same encryption. This cordon is passed to the kernel on the cmdline for an unknown purpose. Calculations can be seen http://pastie.org/4285958. get_time_since_boot returns an...
  20. R

    Post [R&D] Unlock Bootloaders

    Right, one thing I forgot to write earlier was that the rom_type field of the ddi_data is calculated at runtime only. All that's stored on the mmc is the first field through the end of the model name. As for the 16 bytes in param being different every boot, it's probably because there's a...
  21. R

    Post [R&D] Unlock Bootloaders

    Those are offsets into the param partition. (I'm the Lee from the email earlier)